CVE-2026-28790
Broken Access Control in OliveTin Allows Unauthorized Action Termination
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olivetin | olivetin | to 3000.11.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28790 is a broken access control vulnerability in OliveTin versions prior to 3000.11.0. It allows unauthenticated guests to terminate running actions by calling the KillAction RPC directly, even when the configuration option authRequireGuestsToLogin is enabled. Although guests are blocked from accessing the dashboard, they can bypass authentication to stop legitimate running actions, causing unauthorized denial of service.
The root cause is inconsistent authorization enforcement: the dashboard access requires guest login, but the KillAction RPC does not enforce this properly. The configuration sanitization disables guest permissions for most actions but leaves the kill permission enabled, allowing guests to execute kill commands without authentication.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated users to disrupt running actions or jobs in OliveTin. Attackers can terminate legitimate processes without any credentials, causing unauthorized denial of service. This can interfere with privileged operations and disrupt multi-user environments where actions may run for extended periods.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthenticated guests being able to call the KillAction RPC directly to terminate running actions. Detection involves monitoring for unauthorized KillAction RPC calls originating from guest or unauthenticated users.'}, {'type': 'paragraph', 'content': 'You can detect exploitation attempts by checking server logs for KillAction requests authenticated as "guest" or unauthenticated users, especially those that result in termination of running actions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires knowledge or prediction of a valid executionTrackingId, monitoring network traffic for suspicious RPC calls to the KillAction endpoint can help identify attempts.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your logging and monitoring setup, but examples include:'}, {'type': 'list_item', 'content': "Using grep or similar tools on server logs to find KillAction calls by guest users, e.g., `grep 'KillAction' /path/to/olivetin/logs | grep 'guest'`."}, {'type': 'list_item', 'content': 'Using network monitoring tools (like tcpdump or Wireshark) to filter for RPC calls to the KillAction endpoint.'}, {'type': 'list_item', 'content': 'Checking application logs for HTTP 403 responses on dashboard access but successful KillAction RPC calls from unauthenticated sources.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OliveTin to version 3000.11.0 or later, where this vulnerability has been patched.
The patch disables the default permission for the Kill action for guests, preventing unauthenticated users from invoking KillAction.
If immediate upgrade is not possible, consider restricting network access to the OliveTin service to trusted users only, preventing unauthenticated guests from reaching the KillAction RPC endpoint.
Additionally, review and tighten access control configurations, ensuring that guest users cannot perform privileged actions.